How to connect to Microsoft Active Directory Federation Services for use with SSO?

Please complete the following guide;
  1. In the Organization Settings plugin located on the DocuWare Configurations page, navigate to the Security section and activate the single sign-on option.

  2. Go to your AD FS Server Manager and click-on Tools and AD FS Managements.

  3. Go to Service > Endpoints and find the OpenId Connect Discovery endpoint.
  4. Switch back to the Organization settings plugin where single sign-on was previously enabled and go to Security > Enable single sign-on with your identity provider > Configure single-sign-on connection. Choose Microsoft Active Directory Federation services from the first dropdown.
  5. In the Issuer URL input field insert the OpenId Connect discovery endpoint url. As an example: If your ADFS host is at “https://myadfs.netand your discovery endpoint is/adfs/.well-known/openid-configuration” then you would need to insert “”.
  6. Go back to your AD FS settings and choose Application groups.
  7. Click on "Add Application the right sidebar.

  8. Choose a name and description for the application group, e.g. “DocuWare”, choose type Server Application accessing a Web API and click Next.
  9. The Client Identifier will be generated. Copy ID and go to DocuWare.

  10. Paste the client identifier in the “Client ID” field, then copy the Callback URL provided and save your settings. Once completed, switch back to AD FS.
  11. Within the AD FS configuration,  paste the Callback URL in the Redirect URI box and click Add, then click Next.
  12. The next window will prompt you to select application credentials, which are not needed. Choose Generate a shared secret and proceed.
  13. On the next screen there is a box Identifier. Copy the Client ID which was provided in step 9 and click Add. It’s important that it is exactly the same. Once completed, then click Next.
  14.  Leave the default settings and click Next.

  15. Select the application which you just have created and in the bottom list Permitted scopes choose allatclaims, profile and openid, then click Next.
  16. Check that everything is set up correctly and finish your application creation.
  17. Double-click on your newly created application group, which will open a properties widow. Double-click the DocuWare Web API.

  18. In the new window, choose the tab “Issuance Transform Rules and add a rule.
  19. Choose "Send LDAP attributes as claimsfrom the Claim rule template dropdown and click Next.

  20. In the next window, choose your claim rule name e.g. “DocuWare object guid rule”. In the Attribute store dropdown choose "Active Directory" , then in the table below type objectGUID for the field LDAP Attribute and oid for the Outgoing Claim Type field.
  21. Select Finish and apply your changes.
  22. After saving the settings, users can log in with DocuWare user name and password and also use Single Sign-on via Microsoft. Logging in using DocuWare login data cannot be deactivated at this time.

    A note about option “Automatically link existing users at login”:
    If this option is enabled, DocuWare searches for a matching existing DocuWare user with the corresponding username and email address the first time a user logs on with single sign-on. The DocuWare username must match the local part (first part before @) and the DocuWare email address must match the complete username in Active Directory.

    Only when the username AND email address match, can the Active Directory user account and DocuWare user account be connected.


    DocuWare username: peggy.jenkins 
     (NOT pjenkins or peggyj, it must be an exact match to the value before the @ character.)
    DocuWare Email address:

    It is not necessary to create DocuWare users via the User Synchronization app in order to use single sign-on, even if you create new users manually or import them via an interface, the external user
    account and the DocuWare account are automatically synchronized. Once a user has been assigned, the user is recognized from this point through an external object ID.
    This means that even if the email address and/or username no longer match, the user will still be recognized.

    This KBA is applicable to both On-Premise and Cloud organizations.